Virtualizing security services in the data center

Enterprise security is often compared to a piece of candy: hard on the outside, soft on the inside. The problem with this model is that if your perimeter is breached, the damage can quickly spread from application to application.

If, for example, your Web servers are allowed to “talk” to your VoIP infrastructure, a worm affecting the Web servers can take down your phones. A potential solution to this problem is to partition your data center by application so that the security risk can be compartmentalized.

But there are two problems with this approach. It can be very costly to deploy enough firewalls and other security appliances to partition the data center in such a fashion. Even more importantly, segmentation reduces flexibility. If you later decide that you want to integrate your telephony with your Web portal, allowing users to “click-and-dial” from the Web, you would have to re-engineer your security infrastructure to reflect this new business goal. By segmenting your data center, you are essentially “freezing” your current mix of applications by coupling them to a static security infrastructure. Locking your infrastructure based on your current business structure restricts your ability to innovate and react to changing business circumstances.

Securing the data center using a static security infrastructure is in direct conflict to the goals of “on-demand” computing, because your computing, storage and networking are virtualized, while your security infrastructure is based on static appliances. The solution to this conflict is to virtualize the security infrastructure so that you can change the security “layout” in software rather than having to rewire your data center.

Security vendors are already implementing the vision of a virtualized security infrastructure. Inkra Networks is the pioneer in this field with a set of products that allow you to deploy firewalls, intrusion detection systems, VPN and load-balancing modules in a completely virtual “rack” that can be “rewired” using a software interface. This allows you to remotely apply a security policy that segments the Web servers from the VoIP infrastructure today, and remotely rewire the “virtual rack” to converge the Web and VoIP tomorrow.

In June, Cisco announced a virtual firewall module for the Catalyst 6500 platform that gives security administrators the ability to define “logical” firewalls between switching points. While Cisco’s VPN and IDS modules are not currently virtualize-able in the same fashion as the firewall module, this would be a logical next step towards completely virtual security services on the Catalyst.

Bottom Line: To respond to the emergence of the “porous” perimeter, data center managers must deploy security in-depth within the data center to protect applications from each other. To avoid throwing out the “on-demand” baby with the security bath water, the data center strategy should focus on virtual “on-demand” security instead of stand-alone security appliances.